CVE-2024-13138
Published: 05 January 2025
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2024-13138 is a critical vulnerability in wangl1989 mysiteforme version 1.0, affecting the upload function within the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The issue enables unrestricted file upload via manipulation of the "test" argument and can be triggered remotely.
Attackers with high privileges (PR:H) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation results in low impacts to confidentiality, integrity, and availability, as reflected in its CVSS 3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories and further details, including the publicly disclosed exploit, are available in the GitHub repository wangl1989/mysiteforme issue #55 and VulDB entries at ctiid.290212, id.290212, and submit.468511. The vulnerability was published on 2025-01-05T11:15:05.747, and the exploit may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted upload of dangerous files (e.g., JSP trojans, HTML) in a public-facing web app enables exploitation (T1190), web shell execution (T1100) and persistence (T1505.003), and staging tools/malware (T1608.002).